Merge remote-tracking branch 'origin/master' into rbac-generator-with-conditional-grants

# Conflicts: # README.md # build.gradle # doc/rbac.md # src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java # src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java # src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java # src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql # src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql # src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql # src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md # src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql # src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md # src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql # src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md # src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql # src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md # src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql # src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java # src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java # src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java # src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java # src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java # src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java # src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java # src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
2024-04-03 08:17:09 +02:00 · 2024-04-03 08:17:09 +02:00 · 630a9fe3d0
commit 630a9fe3d0
parent 4f25bf1496 73c378b456
31 changed files with 156 additions and 172 deletions
--- a/README.md
+++ b/README.md
@ -82,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a

    # the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
    curl \
-        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:admin' \
+        -H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:ADMIN' \
        http://localhost:8080/api/test/packages

    # add a new customer
--- a/build.gradle
+++ b/build.gradle
@ -62,7 +62,6 @@ dependencies {
    implementation 'org.springdoc:springdoc-openapi:2.4.0'
    implementation 'org.postgresql:postgresql:42.7.3'
    implementation 'org.liquibase:liquibase-core:4.27.0'
-    //implementation 'com.vladmihalcea:hibernate-types-60:2.21.1'
    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.7.3'
    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.17.0'
    implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
--- a/doc/rbac.md
+++ b/doc/rbac.md
@ -206,7 +206,7 @@ and the *role-stereotype* describes a role relative to a referenced business-obj
 #### owner

 The owner-role is granted to the subject which created the business object.
-E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:admin'. 
+E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:ADMIN'. 

 Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.

@ -470,14 +470,14 @@ together {
    permCustomerXyzSELECT--> boCustXyz
 }

-entity "Role customer#xyz:tenant" as roleCustXyzTenant 
+entity "Role customer#xyz:TENANT" as roleCustXyzTenant 
 roleCustXyzTenant --> permCustomerXyzSELECT

-entity "Role customer#xyz:admin" as roleCustXyzAdmin
+entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin
 roleCustXyzAdmin --> roleCustXyzTenant
 roleCustXyzAdmin --> permCustomerXyzINSERT:package

-entity "Role customer#xyz:owner" as roleCustXyzOwner
+entity "Role customer#xyz:OWNER" as roleCustXyzOwner
 roleCustXyzOwner ..> roleCustXyzAdmin
 roleCustXyzOwner --> permCustomerXyzDELETE

@ -493,7 +493,7 @@ actorHostmaster --> roleAdmins
 ```

 As you can see, there something special:
-From the 'Role customer#xyz:owner' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
+From the 'Role customer#xyz:OWNER' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
 Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
 The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.

@ -541,15 +541,15 @@ together {
 }

 package {
-    entity "Role customer#xyz:tenant" as roleCustXyzTenant
-    entity "Role customer#xyz:admin" as roleCustXyzAdmin    
-    entity "Role customer#xyz:owner" as roleCustXyzOwner
+    entity "Role customer#xyz:TENANT" as roleCustXyzTenant
+    entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin    
+    entity "Role customer#xyz:OWNER" as roleCustXyzOwner
 }

 package {
-    entity "Role package#xyz00:owner" as rolePacXyz00Owner
-    entity "Role package#xyz00:admin" as rolePacXyz00Admin
-    entity "Role package#xyz00:tenant" as rolePacXyz00Tenant
+    entity "Role package#xyz00:OWNER" as rolePacXyz00Owner
+    entity "Role package#xyz00:ADMIN" as rolePacXyz00Admin
+    entity "Role package#xyz00:TENANT" as rolePacXyz00Tenant
 }

 rolePacXyz00Tenant --> permPacXyz00SELECT
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionEntity.java
@ -1,7 +1,11 @@

 package net.hostsharing.hsadminng.hs.office.coopassets;

-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
 import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
@ -10,7 +14,15 @@ import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;
 import org.hibernate.annotations.GenericGenerator;

-import jakarta.persistence.*;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
 import java.io.IOException;
 import java.math.BigDecimal;
 import java.time.LocalDate;
@ -20,8 +32,11 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@ -109,7 +124,7 @@ public class HsOfficeCoopAssetsTransactionEntity implements Stringifyable, RbacO

                .toRole("membership", ADMIN).grantPermission(INSERT)
                .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", ADMIN).grantPermission(SELECT);
+                .toRole("membership", AGENT).grantPermission(SELECT);
    }

    public static void main(String[] args) throws IOException {
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionEntity.java
@ -1,15 +1,27 @@
 package net.hostsharing.hsadminng.hs.office.coopshares;

-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 import net.hostsharing.hsadminng.errors.DisplayName;
 import net.hostsharing.hsadminng.hs.office.membership.HsOfficeMembershipEntity;
-import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
+import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
 import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
 import net.hostsharing.hsadminng.stringify.Stringify;
 import net.hostsharing.hsadminng.stringify.Stringifyable;

-import jakarta.persistence.*;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.EnumType;
+import jakarta.persistence.Enumerated;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
 import java.io.IOException;
 import java.time.LocalDate;
 import java.util.UUID;
@ -17,9 +29,11 @@ import java.util.UUID;
 import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
 import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
@ -105,7 +119,7 @@ public class HsOfficeCoopSharesTransactionEntity implements Stringifyable, RbacO

                .toRole("membership", ADMIN).grantPermission(INSERT)
                .toRole("membership", ADMIN).grantPermission(UPDATE)
-                .toRole("membership", ADMIN).grantPermission(SELECT);
+                .toRole("membership", AGENT).grantPermission(SELECT);
    }

    public static void main(String[] args) throws IOException {
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipEntity.java
@ -28,7 +28,6 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@ -148,14 +147,14 @@ public class HsOfficeMembershipEntity implements RbacObject, Stringifyable {

                .createRole(OWNER, (with) -> {
                    with.owningUser(CREATOR);
-                    with.incomingSuperRole("partnerRel", ADMIN);
-                    with.permission(DELETE);
                })
                .createSubRole(ADMIN, (with) -> {
-                    with.incomingSuperRole("partnerRel", AGENT);
+                    with.incomingSuperRole("partnerRel", ADMIN);
+                    with.permission(DELETE);
                    with.permission(UPDATE);
                })
-                .createSubRole(REFERRER, (with) -> {
+                .createSubRole(AGENT, (with) -> {
+                    with.incomingSuperRole("partnerRel", AGENT);
                    with.outgoingSubRole("partnerRel", TENANT);
                    with.permission(SELECT);
                });
--- a/src/main/java/net/hostsharing/hsadminng/mapper/PostgresArray.java
+++ b/src/main/java/net/hostsharing/hsadminng/mapper/PostgresArray.java
@ -1,58 +0,0 @@
-package net.hostsharing.hsadminng.mapper;
-
-import lombok.experimental.UtilityClass;
-import org.postgresql.util.PGtokenizer;
-
-import java.lang.reflect.Array;
-import java.nio.charset.StandardCharsets;
-import java.util.function.Function;
-
-@UtilityClass
-public class PostgresArray {
-
-    /**
-     * Converts a byte[], as returned for a Postgres-array by native queries, to a Java array.
-     *
-     * <p>This example code worked with Hibernate 5 (Spring Boot 3.0.x):
-     * <pre><code>
-     *      return (UUID[]) em.createNativeQuery("select currentSubjectsUuids() as uuids", UUID[].class).getSingleResult();
-     * </code></pre>
-     * </p>
-     *
-     * <p>With Hibernate 6 (Spring Boot 3.1.x), this utility method can be used like such:
-     * <pre><code>
-     *      final byte[] result = (byte[]) em.createNativeQuery("select * from currentSubjectsUuids() as uuids", UUID[].class)
-     *                 .getSingleResult();
-     *      return fromPostgresArray(result, UUID.class, UUID::fromString);
-     * </code></pre>
-     * </p>
-     *
-     * @param pgArray the byte[] returned by a native query containing as rendered for a Postgres array
-     * @param elementClass the class of a single element of the Java array to be returned
-     * @param itemParser converts a string element to the specified elementClass
-     * @return a Java array containing the data from pgArray
-     * @param <T> type of a single element of the Java array
-     */
-    public static <T> T[] fromPostgresArray(final byte[] pgArray, final Class<T> elementClass, final Function<String, T> itemParser) {
-        final var pgArrayLiteral = new String(pgArray, StandardCharsets.UTF_8);
-        if (pgArrayLiteral.length() == 2) {
-            return newGenericArray(elementClass, 0);
-        }
-        final PGtokenizer tokenizer = new PGtokenizer(pgArrayLiteral.substring(1, pgArrayLiteral.length()-1), ',');
-        tokenizer.remove("\"", "\"");
-        final T[] array = newGenericArray(elementClass, tokenizer.getSize()); // Create a new array of the specified type and length
-        for ( int n = 0; n < tokenizer.getSize(); ++n ) {
-            final String token = tokenizer.getToken(n);
-            if ( !"NULL".equals(token) ) {
-                array[n] = itemParser.apply(token.trim().replace("\\\"", "\""));
-            }
-        }
-        return array;
-    }
-
-    @SuppressWarnings("unchecked")
-    private static <T> T[] newGenericArray(final Class<T> elementClass, final int length) {
-        return (T[]) Array.newInstance(elementClass, length);
-    }
-
-}
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
@ -302,7 +302,7 @@ class RolesGrantsAndPermissionsGenerator {
                        .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
        };
        if (grantDef.isConditional()) {
-            return "if " + grantDef.getSqlWhere() + " then\n"
+            return "if " + grantDef.getOnlyInCaseOf() + " then\n"
                    + "    " + grantSql + "\n"
                    + "end if;";
        }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
@ -167,7 +167,7 @@ public class RbacGrantsDiagramService {
            return "users";
        }
        if (refType.equals("perm")) {
-            return node.idName().split(" ", 4)[3];
+            return node.idName().split(":", 3)[1];
        }
        if (refType.equals("role")) {
            final var withoutRolePrefix = node.idName().substring("role:".length());
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleController.java
@ -31,7 +31,7 @@ public class RbacRoleController implements RbacRolesApi {

        context.define(currentUser, assumedRoles);

-        final List<RbacRoleRvEntity> result = rbacRoleRepository.findAll();
+        final List<RbacRoleEntity> result = rbacRoleRepository.findAll();

        return ResponseEntity.ok(mapper.mapList(result, RbacRoleResource.class));
    }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRvEntity.java
@ -15,7 +15,7 @@ import java.util.UUID;
@Immutable
@NoArgsConstructor
@AllArgsConstructor
-public class RbacRoleRvEntity {
+public class RbacRoleEntity {

    @Id
    @GeneratedValue
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepository.java
@ -5,7 +5,7 @@ import org.springframework.data.repository.Repository;
 import java.util.List;
 import java.util.UUID;

-public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
+public interface RbacRoleRepository extends Repository<RbacRoleEntity, UUID> {

    /**
     * @return the number of persistent RbacRoleEntity instances, mostly for testing purposes.
@ -15,7 +15,7 @@ public interface RbacRoleRepository extends Repository<RbacRoleRvEntity, UUID> {
    /**
     * @return all persistent RbacRoleEntity instances, assigned to the current subject (user or assumed roles)
     */
-    List<RbacRoleRvEntity> findAll();
+    List<RbacRoleEntity> findAll();

-    RbacRoleRvEntity findByRoleName(String roleName);
+    RbacRoleEntity findByRoleName(String roleName);
 }
--- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
+++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql
@ -73,6 +73,15 @@ begin
            return roleDescriptor('%2$s', entity.uuid, 'TENANT', assumed);
        end; $f$;

+        -- TODO: remove guest role
+        create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
+            returns RbacRoleDescriptor
+            language plpgsql
+            strict as $f$
+        begin
+            return roleDescriptor('%2$s', entity.uuid, 'GUEST', assumed);
+        end; $f$;
+
        create or replace function %1$sReferrer(entity %2$s)
            returns RbacRoleDescriptor
            language plpgsql
--- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
+++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
@ -139,7 +139,7 @@ select 'global', (select uuid from RbacObject where objectTable = 'global'), 'GU
 $$;

 begin transaction;
-    call defineContext('creating role:global#loba:guest', null, null, null);
+    call defineContext('creating role:global#global:guest', null, null, null);
    select createRole(globalGuest());
 commit;
 --//
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md
@ -97,12 +97,13 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
-role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
--- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md
@ -150,12 +150,13 @@ role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:OWNER
 role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
 role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel:AGENT -.-> role:debitorRel:TENANT
-role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
@ -175,12 +176,13 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
-role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
--- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md
@ -109,12 +109,13 @@ role:global:ADMIN -.-> role:debitorRel.contact:OWNER
 role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
 role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
 role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:OWNER
 role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
 role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
 role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
 role:debitorRel:AGENT -.-> role:debitorRel:TENANT
-role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
 role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
 role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
--- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md
@ -42,7 +42,7 @@ subgraph membership["`**membership**`"]

        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
    end

    subgraph membership:permissions[ ]
@ -95,26 +95,27 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
 role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
 role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:partnerRel:OWNER
+role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
 role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
 role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
+role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
 role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
 role:partnerRel:AGENT -.-> role:partnerRel:TENANT
-role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
 role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
 role:partnerRel:TENANT -.-> role:partnerRel.contact:REFERRER
-role:partnerRel:ADMIN ==> role:membership:OWNER
 role:membership:OWNER ==> role:membership:ADMIN
-role:partnerRel:AGENT ==> role:membership:ADMIN
-role:membership:ADMIN ==> role:membership:REFERRER
-role:membership:REFERRER ==> role:partnerRel:TENANT
+role:partnerRel:ADMIN ==> role:membership:ADMIN
+role:membership:ADMIN ==> role:membership:AGENT
+role:partnerRel:AGENT ==> role:membership:AGENT
+role:membership:AGENT ==> role:partnerRel:TENANT

 %% granting permissions to roles
 role:global:ADMIN ==> perm:membership:INSERT
-role:membership:OWNER ==> perm:membership:DELETE
+role:membership:ADMIN ==> perm:membership:DELETE
 role:membership:ADMIN ==> perm:membership:UPDATE
-role:membership:REFERRER ==> perm:membership:SELECT
+role:membership:AGENT ==> perm:membership:SELECT

 ```
--- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
@ -45,23 +45,23 @@ begin

    perform createRoleWithGrants(
        hsOfficeMembershipOWNER(NEW),
-            permissions => array['DELETE'],
-            incomingSuperRoles => array[hsOfficeRelationADMIN(newPartnerRel)],
            userUuids => array[currentUserUuid()]
    );

    perform createRoleWithGrants(
        hsOfficeMembershipADMIN(NEW),
-            permissions => array['UPDATE'],
+            permissions => array['DELETE', 'UPDATE'],
            incomingSuperRoles => array[
            	hsOfficeMembershipOWNER(NEW),
-            	hsOfficeRelationAGENT(newPartnerRel)]
+            	hsOfficeRelationADMIN(newPartnerRel)]
    );

    perform createRoleWithGrants(
-        hsOfficeMembershipREFERRER(NEW),
+        hsOfficeMembershipAGENT(NEW),
            permissions => array['SELECT'],
-            incomingSuperRoles => array[hsOfficeMembershipADMIN(NEW)],
+            incomingSuperRoles => array[
+            	hsOfficeMembershipADMIN(NEW),
+            	hsOfficeRelationAGENT(newPartnerRel)],
            outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
    );

--- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md
@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]

        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
    end
 end

@ -96,25 +96,26 @@ role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
 role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:OWNER
 role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
 role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
-role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:REFERRER
-role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT

 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopSharesTransaction:INSERT
 role:membership:ADMIN ==> perm:coopSharesTransaction:UPDATE
-role:membership:ADMIN ==> perm:coopSharesTransaction:SELECT
+role:membership:AGENT ==> perm:coopSharesTransaction:SELECT

 ```
--- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql
@ -38,7 +38,7 @@ begin
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);

-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));

    call leaveTriggerForObjectUuid(NEW.uuid);
--- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md
+++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md
@ -54,7 +54,7 @@ subgraph membership["`**membership**`"]

        role:membership:OWNER[[membership:OWNER]]
        role:membership:ADMIN[[membership:ADMIN]]
-        role:membership:REFERRER[[membership:REFERRER]]
+        role:membership:AGENT[[membership:AGENT]]
    end
 end

@ -96,25 +96,26 @@ role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
 role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
 role:global:ADMIN -.-> role:membership.partnerRel:OWNER
+role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:OWNER
 role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
 role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
+role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
 role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
 role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
-role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
 role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.contact:REFERRER
-role:membership.partnerRel:ADMIN -.-> role:membership:OWNER
 role:membership:OWNER -.-> role:membership:ADMIN
-role:membership.partnerRel:AGENT -.-> role:membership:ADMIN
-role:membership:ADMIN -.-> role:membership:REFERRER
-role:membership:REFERRER -.-> role:membership.partnerRel:TENANT
+role:membership.partnerRel:ADMIN -.-> role:membership:ADMIN
+role:membership:ADMIN -.-> role:membership:AGENT
+role:membership.partnerRel:AGENT -.-> role:membership:AGENT
+role:membership:AGENT -.-> role:membership.partnerRel:TENANT

 %% granting permissions to roles
 role:membership:ADMIN ==> perm:coopAssetsTransaction:INSERT
 role:membership:ADMIN ==> perm:coopAssetsTransaction:UPDATE
-role:membership:ADMIN ==> perm:coopAssetsTransaction:SELECT
+role:membership:AGENT ==> perm:coopAssetsTransaction:SELECT

 ```
--- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
+++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql
@ -38,7 +38,7 @@ begin
    SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid    INTO newMembership;
    assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);

-    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipADMIN(newMembership));
+    call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
    call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));

    call leaveTriggerForObjectUuid(NEW.uuid);
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopassets/HsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
@ -112,7 +112,7 @@ class HsOfficeCoopAssetsTransactionRepositoryIntegrationTest extends ContextBase
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
-                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
+                            "{ grant perm:coopassetstransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
                            "{ grant perm:coopassetstransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                            null));
        }
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
@ -111,7 +111,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
-                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:ADMIN by system and assume }",
+                            "{ grant perm:coopsharestransaction#temprefB:SELECT to role:membership#M-1000101:AGENT by system and assume }",
                            "{ grant perm:coopsharestransaction#temprefB:UPDATE to role:membership#M-1000101:ADMIN by system and assume }",
                            null));
        }
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
@ -335,18 +335,18 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
        }

        @Test
-        void partnerRelAgent_canPatchValidityOfRelatedMembership() {
+        void partnerRelAdmin_canPatchValidityOfRelatedMembership() {

            // given
-            final var givenPartnerAgent = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT";
-            context.define("superuser-alex@hostsharing.net", givenPartnerAgent);
+            final var givenPartnerAdmin = "hs_office_relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN";
+            context.define("superuser-alex@hostsharing.net", givenPartnerAdmin);
            final var givenMembership = givenSomeTemporaryMembershipBessler("First");

            // when
            RestAssured // @formatter:off
                .given()
                    .header("current-user", "superuser-alex@hostsharing.net")
-                    .header("assumed-roles", givenPartnerAgent)
+                    .header("assumed-roles", givenPartnerAdmin)
                    .contentType(ContentType.JSON)
                    .body("""
                           {
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipRepositoryIntegrationTest.java
@ -110,9 +110,9 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
            final var all = rawRoleRepo.findAll();
            assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
                    initialRoleNames,
-                    "hs_office_membership#M-1000117:ADMIN",
                    "hs_office_membership#M-1000117:OWNER",
-                    "hs_office_membership#M-1000117:REFERRER"));
+                    "hs_office_membership#M-1000117:ADMIN",
+                    "hs_office_membership#M-1000117:AGENT"));
            assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
@ -122,21 +122,21 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
                            "{ grant perm:membership#M-1000117:INSERT>coopsharestransaction to role:membership#M-1000117:ADMIN by system and assume }",

                            // owner
-                            "{ grant perm:membership#M-1000117:DELETE       to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant perm:membership#M-1000117:DELETE to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:OWNER to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",

                            // admin
-                            "{ grant perm:membership#M-1000117:UPDATE       to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:ADMIN        to role:membership#M-1000117:OWNER by system and assume }",
-                            "{ grant role:membership#M-1000117:OWNER        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",
-                            "{ grant role:membership#M-1000117:OWNER        to user:superuser-alex@hostsharing.net by membership#M-1000117:OWNER and assume }",
+                            "{ grant perm:membership#M-1000117:UPDATE to role:membership#M-1000117:ADMIN by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN to role:membership#M-1000117:OWNER by system and assume }",
+                            "{ grant role:membership#M-1000117:ADMIN to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:ADMIN by system and assume }",

                            // agent
-                            "{ grant role:membership#M-1000117:ADMIN        to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
+                            "{ grant perm:membership#M-1000117:SELECT to role:membership#M-1000117:AGENT by system and assume }",
+                            "{ grant role:membership#M-1000117:AGENT to role:membership#M-1000117:ADMIN by system and assume }",

                            // referrer
-                            "{ grant perm:membership#M-1000117:SELECT       to role:membership#M-1000117:REFERRER by system and assume }",
-                            "{ grant role:membership#M-1000117:REFERRER     to role:membership#M-1000117:ADMIN by system and assume }",
-                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:REFERRER by system and assume }",
+                            "{ grant role:membership#M-1000117:AGENT to role:relation#HostsharingeG-with-PARTNER-FirstGmbH:AGENT by system and assume }",
+                            "{ grant role:relation#HostsharingeG-with-PARTNER-FirstGmbH:TENANT to role:membership#M-1000117:AGENT by system and assume }",

                            null));
        }
@ -224,20 +224,20 @@ class HsOfficeMembershipRepositoryIntegrationTest extends ContextBasedTestWithCl
        }

        @Test
-        public void membershipReferrer_canViewButNotUpdateRelatedMembership() {
+        public void membershipAgent_canViewButNotUpdateRelatedMembership() {
            // given
            context("superuser-alex@hostsharing.net");
            final var givenMembership = givenSomeTemporaryMembership("First", "13");
            assertThatMembershipExistsAndIsAccessibleToCurrentContext(givenMembership);
            assertThatMembershipIsVisibleForRole(
                    givenMembership,
-                    "hs_office_membership#M-1000113:REFERRER");
+                    "hs_office_membership#M-1000113:AGENT");
            final var newValidityEnd = LocalDate.now();

            // when
            final var result = jpaAttempt.transacted(() -> {
                // TODO: we should test with debitor- and partner-admin as well
-                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:REFERRER");
+                context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000113:AGENT");
                givenMembership.setValidity(
                        Range.closedOpen(givenMembership.getValidity().lower(), newValidityEnd));
                return membershipRepo.save(givenMembership);
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/test/ContextBasedTestWithCleanup.java
@ -5,8 +5,7 @@ import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantEntity;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService;
-import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.test.JpaAttempt;
 import org.jetbrains.annotations.NotNull;
@ -255,7 +254,7 @@ public abstract class ContextBasedTestWithCleanup extends ContextBasedTest {
        return jpaAttempt.transacted(() -> {
            context.define("superuser-alex@hostsharing.net", null);
            return rbacRoleRepo.findAll().stream()
-                    .map(RbacRoleRvEntity::getRoleName)
+                    .map(RbacRoleEntity::getRoleName)
                    .collect(toSet());
        }).assertSuccessful().returnedValue();
    }
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
@ -5,7 +5,7 @@ import io.restassured.http.ContentType;
 import io.restassured.response.ValidatableResponse;
 import net.hostsharing.hsadminng.HsadminNgApplication;
 import net.hostsharing.hsadminng.context.ContextBasedTest;
-import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRvEntity;
+import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleEntity;
 import net.hostsharing.hsadminng.rbac.rbacrole.RbacRoleRepository;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserEntity;
 import net.hostsharing.hsadminng.rbac.rbacuser.RbacUserRepository;
@ -361,11 +361,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
            this(currentUser, "");
        }

-        GrantFixture grantsRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
+        GrantFixture grantsRole(final RbacRoleEntity givenOwnPackageAdminRole) {
            return new GrantFixture(givenOwnPackageAdminRole);
        }

-        RevokeFixture revokesRole(final RbacRoleRvEntity givenOwnPackageAdminRole) {
+        RevokeFixture revokesRole(final RbacRoleEntity givenOwnPackageAdminRole) {
            return new RevokeFixture(givenOwnPackageAdminRole);
        }

@ -376,11 +376,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        class GrantFixture {

            private Subject grantingSubject = Subject.this;
-            private final RbacRoleRvEntity grantedRole;
+            private final RbacRoleEntity grantedRole;
            private boolean assumed;
            private RbacUserEntity granteeUser;

-            public GrantFixture(final RbacRoleRvEntity roleToGrant) {
+            public GrantFixture(final RbacRoleEntity roleToGrant) {
                this.grantedRole = roleToGrant;
            }

@ -417,11 +417,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        class RevokeFixture {

            private Subject currentSubject = Subject.this;
-            private final RbacRoleRvEntity grantedRole;
+            private final RbacRoleEntity grantedRole;
            private boolean assumed;
            private RbacUserEntity granteeUser;

-            public RevokeFixture(final RbacRoleRvEntity roleToGrant) {
+            public RevokeFixture(final RbacRoleEntity roleToGrant) {
                this.grantedRole = roleToGrant;
            }

@ -455,9 +455,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        private class GetGrantByIdFixture {

            private Subject currentSubject = Subject.this;
-            private RbacRoleRvEntity grantedRole;
+            private RbacRoleEntity grantedRole;

-            GetGrantByIdFixture forGrantedRole(final RbacRoleRvEntity grantedRole) {
+            GetGrantByIdFixture forGrantedRole(final RbacRoleEntity grantedRole) {
                this.grantedRole = grantedRole;
                return this;
            }
@ -507,7 +507,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
        }).assertNotNull().returnedValue();
    }

-    RbacRoleRvEntity getRbacRoleByName(final String roleName) {
+    RbacRoleEntity getRbacRoleByName(final String roleName) {
        return jpaAttempt.transacted(() -> {
            context("superuser-alex@hostsharing.net", null);
            return rbacRoleRepository.findByRoleName(roleName);
--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java
@ -175,21 +175,21 @@ class RbacRoleRepositoryIntegrationTest {
        }
    }

-    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
+    void exactlyTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                .containsExactlyInAnyOrder(expectedRoleNames);
    }

-    void allTheseRbacRolesAreReturned(final List<RbacRoleRvEntity> actualResult, final String... expectedRoleNames) {
+    void allTheseRbacRolesAreReturned(final List<RbacRoleEntity> actualResult, final String... expectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                .contains(expectedRoleNames);
    }

-    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleRvEntity> actualResult, final String... unexpectedRoleNames) {
+    void noneOfTheseRbacRolesIsReturned(final List<RbacRoleEntity> actualResult, final String... unexpectedRoleNames) {
        assertThat(actualResult)
-                .extracting(RbacRoleRvEntity::getRoleName)
+                .extracting(RbacRoleEntity::getRoleName)
                .doesNotContain(unexpectedRoleNames);
    }

--- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java
@ -4,11 +4,11 @@ import static java.util.UUID.randomUUID;

 public class TestRbacRole {

-    public static final RbacRoleRvEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
-    static final RbacRoleRvEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
-    static final RbacRoleRvEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
+    public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
+    static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
+    static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);

-    static public RbacRoleRvEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
-        return new RbacRoleRvEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
+    static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
+        return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
    }
 }